tl;dr

• Adding the last character to a tab causes null byte overflow
• Use said overflow to unset prev_inuse bit
• Coalesce upwards with fake chunk to perform unlink attack
• Unlink attack places .bss pointer in place of heap pointer
• Editing .bss allows for Arbitrary R/W

tl;dr

• Leak JWT token through Race Condition.
• Leak authorization token via an open redirect.
• Chaining XSS & CSRF in the oauth pipeline to leak the Admin’s oauth access token.
• RCE via CVE-2023-33733.

tl;dr

• Misconfiguration in JWT token validation
• SQL Injection through JWT token
• Insecure Deserialization in .NET leading to RCE using custom class StatusCheckHelper

tl;dr

• CTR bit-flipping attack along with CRC recomputation

tl;dr

• Mutation XSS using namespace confusion
• Parsing inconsistency in JSDOM

tl;dr

• XSS using hx- attribute to fetch the flag from /api/note/flag.

tl;dr

• meta redirect to attacker website, using the html injection in the paaad.
• leak the unique subdomain with csp violation.
• Another meta redirect csrf with the leaked subdomain to make the note public.

tl;dr

• XSS + HTML sanitization library (ammonia) bypass
• Namespace confusion in ammonia using custom allowed extra tags(math & style)

tl;dr

• CRLF Injection in Headed Key in Werkzeug headers.set
• Using CRLF Injection at /?user= to Get XSS at /helloworld
• Make the admin visit /?user=<PAYLOAD> and /helloworld using cache poison or bug in regex(uninteded)

tl;dr

• Leak csrf token bypassing document.domain
• visiting /profile/ will not change the nonce
• Leak nonce using dangling markup in firefox
• Add XSS payload using the csrf to get the flag